Cracking Syskey and the SAM on Windows XP, 200 and NT 4 using Open Source Tools

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Cracking Syskey and the SAM on Windows XP, 200 and NT 4 using Open Source Tools

Cracking Syskey and the SAM on Windows XP, 200 and NT 4 using Open Source Tools

A little over a year ago I wrote a little tutorial called ďCracking Windows 2000 And XP Passwords With Only Physical AccessĒ [0]. It was pretty popular and the data is still useful but in the last year Iíve found far better ways to crack a SAM file with SysKey enabled. One reason Iím writing this new tutorial is because sometime after SAMInside v.2.1.3 exporting to a PWDump file was disabled in the demo version. There are still ways SAMInside could be used, but there are better Open Source tools now that can do the same tasks. This tutorial will recap parts of the original, but also give a far simpler, faster and more concise way to crack hashes in the SAM file that are protected by SysKey.

SysKey is an extra level of encryption put on the hashes in the SAM file [1]. SysKey was introduced in Service Pack 3 (SP3) for NT 4 but every version of Windows since has had SysKey enabled by default. The way most folks crack a SAM file on a system that uses SysKey is by running a utility called PWDump as an admin to get the LM (LAN Manager) and NT hashes. The problem is PWdump only works if you can run it from an administrator level account, and if the reason an attacker is cracking the hashes in the first place is to get an administrator level account then PWdump is of little use.

Some folks will ask why would you want to crack the passwords in the SAM at all since itís far easier to just change the Administrator password using a Linux boot disk or Salaís Password Renew for PE Builder. The reason an attacker may want to crack the local passwords instead of changing them is two fold:

1. An attacker doesnít want to tip off the system administrators. If they notice that the old local admin password no longer works they will get a little bit suspicious donít you think? This is somewhat solved by Salaís Password Renew since it lets you add new admin level accounts as well as change existing accountís passwords.

2. The same local account passwords may be used on other systems on the network (and most likely are if they use imaging software like Ghost). If the attacker can crack one machineís admin password that same password may allow the attacker to gain access to other boxes on that LAN that they only have remote access (across the network) to.

This article assumes that the attacker has only physical access to the machine whose SAM they want to crack and that they also have access to the Knoppix variant known as the Auditor security collection boot CD [5] (Iím using version 120305-01 in this tutorial). Here are the steps you will need to take in order to audit local passwords using the Auditor CD:

Step 1. Download the Auditor Boot CD ISO and burn it to a CD-R. All of the tools we will be using in this tutorial come on the Auditor Boot CD.

Step 2. Insert the Auditor Boot CD into the target system, reboot and set the CD-ROM as the first boot device in the BIOS. Some systems let you hold down a certain function key at startup to choose what media to boot from (on recent Dellís itís F12).

Step 3. Auditor will begin to boot and ask you what screen resolution you want to use. Choose a resolution that your monitor and video card will support (I use 2 for 1024x768) then hit enter.

Step 4. When Auditor finishes booting click on the icon on the KDE bar for a new terminal window (it looks like a little monitor). Below you will see the commands you will have to use to get past SysKey, extract the hashes and attempt to crack the password hashes.

Step 5. Mount the local hard disk, most likely hda1:

Code:

mount /dev/hda1

Step 6. Change the present working directory to the ramdisk so we space to work with the files we will be creating:

Code:

cd /ramdisk/

Step 7. Auditor comes with Ncuomoís Samdump2 and Bkhive [6]. We will be using these tools to extract the system key from the System hive and the password hashes from the SAM file. To get the system key we need to use the Bkhive on our SYSTEM file (most likely in C:\WINDOWS\system32/config\SYSTEM, thatís where it is on my XP Pro test box, on some systems it will me in C:\WINNT\system32/config\SYSTEM or perhaps some other drive entirely). By the way, if for some reason you are running NT4 SP3 you will need to use Bkreg instead, all later system (NT4 SP4, 2000 and XP) use Bkhive. To grab the system key and put it into a file we use the following command:

Step 9. At this point we have a PWDump format file called password-hashes.txt that we could copy off of the system and import into L0phtcrack [7] or Cain [8] (see the old tutorial for details). Since I said we were going to do it all with the Auditor CD and Open Source tools we will use John the Ripper to crack the hashes, but before we can use John we have to extract one of the many wordlists that comes with Auditor. Take a look on the CD in /opt/auditor/full/share/wordlists/ for all of the different wordlists you can use, Iíll use english.txt for this tutorial. To extract english.txt to the ramdisk use the following command:

Step 10. Now that everything is in place we can run John with a simple dictionary attack to see if we can crack any of the hashes:

Code:

john password-hashes.txt -w:eng.txt

John detects that the dump file has LM (LAN Manager) hashes in it and chooses the format ďNT LM DES [32/32 BS]Ē automatically. If I had disabled the storing of LM hashes in the SAM I might want to use the Ėf option to specify the NT hash format and try to crack the NT hashes instead. To do that I would use the following command:

Code:

john password-hashes.txt -f:NT -w:eng.txt

If dictionary attacks arenít working and you have a lot of time (as well as a fast computer) you can try Johnís incremental (brute force) mode and see if it gives you better results:

Code:

john password-hashes.txt -i:all

Incremental mode is limited to only eight characters unless you change the source before you compile it, but at more than eight characters you will likely be waiting a very long time for John to finish. Doing more that eight characters is pointless anyway if you have the LM hashes since there are stored as two seven byte parts (NT hashes are a different story and can be harder to crack).

In case you were wondering what all of these commands would look like along with their output here is a copy of my session log that may help you understand how they all work together (notice that the password for the Administrator account is ďmonkeyĒ):

There are a few things you can do to make it harder for attacker to crack you local passwords. An attacker will most likely have to get into the BIOs to set it to boot from the CD-ROM. Setting up a BIOs password will help keep crackers from using the Auditor CD (or any boot CD) but if they can get into the computerís case itís easy to reset a BIOs password so some sort of physical case lock should be used as well. Strong passwords (non-dictionary words with more that just alphanumeric characters) will also make it harder for attackers to crack passwords since they will have to resort to potentially slow brute force methods.

I hope this short tutorial helps, feel free to write me if you have any questions. Some other techniques you may want to look into for faster cracking are cracking clusters [9] and Rainbow tables [10]. Enjoy your hash.